Changing the Security Mindset

As cyber attacks evolve in number and complexity, financial services organizations must embrace proactive security strategies.

Cyber security is rapidly evolving as an area of concern for insurers, with data breaches occurring more often than ever. Recent data from the Ponemon Institute reveals that 43 percent of businesses have experienced an attack in the past 12 months, and the changing motivation behind them is posing an even greater threat to the industry.

“Today, the main driver in hacking is financial,” says Jerry Irvine, CIO of Prescient Solutions and member of the National Cyber Security Task Force. “Criminal, governmental, and third-party organizations are all financially driven.”

Modern-day criminals want to be more than nuisances or political rebels, says Irvine, and today’s technology isn’t complex enough to block their attacks. Modern solutions are designed to protect environments with physical perimeters, but the growth of cloud technologies and evolution of hackers’ abilities are rendering these ineffective. Hackers don’t have new tools, but more of them are discovering and exploiting the flaws within existing systems.

Hackers have an advantage over businesses because they collaborate and share effective criminal procedures and malware systems. Organizations don’t share their information as openly as hackers do, says Irving, which places them at a great disadvantage in terms of cyber security, and increases their risk of lawsuits.

It’s no longer enough for insurers to strengthen the outside barriers to their organizations. They must also secure exactly what they need to protect: their data. Now is the time for organizations to forego a reactive approach to security in favor of more proactive strategies.

“We have to understand that there is going to be a breach,” Irving emphasizes. “Because of the lack of perimeters and accessibility of data, there have to be larger constraints around the data itself.”

He recommends that insurers begin by conducting a risk assessment, a process significantly more complex for organizations than for consumers. In addition to defining regulatory and compliance requirements, insurers must detail and inventory everything that relates to their data. This involves determining which apps access each set of data, as well as categorizing information as critically confidential.

To minimize damage in the event of a data breach, carriers should have an incident response plan, says Kirstin Simonson, underwriting director for Travelers Global Technologies. Many businesses lack a responsive strategy, she says, or a team in place to mitigate the effects of a cyber attack.

“That’s really a discussion that needs to cross multiple disciplines within the organization,” Simonson says of developing a response plan. Information and security experts, general counsel, and board-level executives should collaborate to identify business objectives, which entities are at risk, and how to best respond to a breach.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio